swa66 - 2:27 pm on Sep 6, 2013 (gmt 0)
I think you found the answer: the secret you share with the browser can be reused to connect just as the password could.
A few things:
I md5 and salt the user password for storage in the database.
That's a decent start, but not good enough:
- md5 really should not be used anymore - it's broken.
- for storing passwords you really must also use a SLOW hash. md5 (and sha-1, the sha-2 variants etc. are all fast hashes)
Make the hash as costly as you can bear.
A simple sha-1 or md5 is peanuts for the average passwords your users will chose to crack using dictionaries.
setcookie(... false, false)
is a bad choice: you do not limit the browser to send the cookie on on https connections, but it will also send it (in the clear!) on http connections to site(s) in your domain.
Finally, although I guess you have found it by now:
all you need is a single cookie: it's a random value and you store on the server side the user, timeout to log them out etc. If you store such info in the browser a smart attacker will change it...